Bug 1035254

Summary: ssh client does not use primary ccache of a Kerberos ccache collection
Product: Red Hat Enterprise Linux 6 Reporter: Sumit Bose <sbose>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: abokovoy, dlackey, mattias.ellert, mgrepl, mkosek, plautrba, pviktori, rcritten, ssorce, tmraz
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-29 20:25:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1034958    
Bug Blocks:    

Description Sumit Bose 2013-11-27 11:42:51 UTC 
Description of problem:

If a Kerberos credential cache collection is used the ssh client does not use the current primary credential cache but pick a different one:

[root@vm-197 ~]# kdestroy -A
[root@vm-197 ~]# klist -A
[root@vm-197 ~]# kinit admin
Password for admin: 
[root@vm-197 ~]# kinit Administrator
Password for Administrator: 
[root@vm-197 ~]# klist
Ticket cache: DIR::/run/user/0/krb5cc/tktLm9rKl
Default principal: Administrator

Valid starting       Expires              Service principal
27.11.2013 11:25:23  27.11.2013 21:25:23  krbtgt/SUBDOM.SUB
	renew until 28.11.2013 11:25:16
[root@vm-197 ~]# klist -l
Principal name                 Cache name
--------------                 ----------
Administrator       DIR::/run/user/0/krb5cc/tktLm9rKl
admin              DIR::/run/user/0/krb5cc/tktk9sv02
[root@vm-197 ~]# ssh -l Administrator vm-197.idm.lab.eng.brq.redhat.com
Administrator@vm-197.idm.lab.eng.brq.redhat.com's password: 

[root@vm-197 ~]# klist -A
Ticket cache: DIR::/run/user/0/krb5cc/tktLm9rKl
Default principal: Administrator

Valid starting       Expires              Service principal
27.11.2013 11:25:23  27.11.2013 21:25:23  krbtgt/SUBDOM.SUB
	renew until 28.11.2013 11:25:16

Ticket cache: DIR::/run/user/0/krb5cc/tktk9sv02
Default principal: admin

Valid starting       Expires              Service principal
27.11.2013 11:25:18  28.11.2013 11:25:16  krbtgt/IPASB.SBOSE
27.11.2013 11:25:48  28.11.2013 11:25:16  host/vm-197.idm.lab.eng.brq.redhat.com



The host ticket is obtained for admin although Administrator is the primary one and should be used in this case.


 

Version-Release number of selected component (if applicable):
openssh-6.2p2-6.fc19  (looks like newer versions in F20 and F21 are affected as well)



Actual results:
Wrong ccache is used by ssh client

Expected results:
ssh client should use the primary credential cache in a credential cahce collection.

Additional info:
I rebuild openssh-6.4p1-2 from F20 on the same F19 host and found the same issue. So it looks that newer version of openssh are affected as well.
Comment 1 Alexander Bokovoy 2013-11-27 17:22:59 UTC 
I've done some dicussion with Simo and he pointed out that this is expected behavior for Kerberos credentials cache collections as described at http://k5wiki.kerberos.org/wiki/Projects/Client_principal_selection

What we need to do is to convert this bug into documentation bug for Kerberos. At the very least, this change of the behavior due to introduction of the ccache collections should go to release notes (Fedora 20 and RHEL7).

We'll track it at bug #1034958 for RHEL7. This bug can be used to track it for Fedora.
Comment 2 Alexander Bokovoy 2013-11-27 17:24:26 UTC 
wrong component.
Comment 3 Martin Kosek 2013-11-28 11:24:36 UTC 
(In reply to Alexander Bokovoy from comment #1)
> What we need to do is to convert this bug into documentation bug for
> Kerberos. At the very least, this change of the behavior due to introduction
> of the ccache collections should go to release notes (Fedora 20 and RHEL7).

What documentation do you plan to extend? FreeIPA User Guide? Or Kerberos documentation? This issue does not seem FreeIPA-specific to me, so I rather ask.
Comment 4 Alexander Bokovoy 2013-11-28 11:44:50 UTC 
Three places:

- Kerberos documentation, making clear how cache collections work.
- FreeIPA guide, AD trusts chapter, making clear how ccache collections affect cross-realm operations.
- Release notes of the product, pointing to Kerberos documentation changes.
Comment 5 Martin Kosek 2013-11-28 12:13:35 UTC 
Makes sense. Feel free to clone this Bugzilla also to other components of the product.
Comment 6 Martin Kosek 2013-12-03 09:49:47 UTC 
I see no response, moving to documentation component myself.
Comment 8 Deon Ballard 2014-07-29 20:22:47 UTC 
Mass closure. These bugs were live in RHEL 6.5.